Loop DoS: Datagram Application-Layer Denial of Service Attacks

On March 19, 2024, a new threat emerged from the research group of Prof. Dr. Christian Rossow at CISPA Helmholtz Center for Information Security in Germany. This threat targets a vulnerability in application-layer services using the User Datagram Protocol (UDP), shedding light on a potentially devastating attack vector.

Dubbed CVE-2024-2169, this vulnerability exposes a flaw in several implementations of UDP application protocols, allowing attackers to exploit it for malicious purposes. The attack vector involves crafting a payload that triggers an error condition in a vulnerable server, prompting it to reply with a failure datagram. When received by another vulnerable server, this failure datagram triggers a cascade of responses between the two systems, creating a perpetual loop of error messages.

What makes this attack particularly insidious is its ability to bypass traditional safeguards like IP Time-to-Live (TTL) hop count limiters. As datagrams are regenerated for every response, the loop condition persists indefinitely, posing a significant challenge for detection and mitigation.

To initiate a loop, attackers need to identify at least one other vulnerable system running the same service. By spoofing the source IP of the initial request, they can trick their victim into responding to another vulnerable server, amplifying the attack by creating multiple loops between systems and overwhelming the target.

The implications of this vulnerability can be far-reaching, affecting hundreds of thousands of publicly exposed servers running vulnerable implementations of DNS, TFTP, NTP, Echo, Chargen, or QOTD. The stateless nature of UDP leaves legitimate services susceptible to abuse, with estimates suggesting that around 300,000 internet hosts are vulnerable to loop DoS attacks.

Detecting vulnerable systems is crucial for preemptive protection. Researchers at CISPA have developed a tool to scan for vulnerable systems, aiding in the identification and mitigation of potential threats. Additionally, organizations are urged to avoid exposing UDP-based services whenever possible, and if unavoidable, ensure they are kept up to date with the latest security patches and protected by robust security solutions.

For more information on this threat alert including attack vectors, affected services, indicators of compromise, and effective DDoS and Web application security essentials, visit the complete Radware Loop DoS Threat Alert.

Ward Wrzenski

Ward Wrzenski is a marketing professional with more than 20 years of experience as a successful industry analyst and influencer relations professional at market leading companies such as Radware, Tata Consultancy Services, Cisco, Oracle, Macromedia and Gartner (formerly AMR Research). Ward is passionate about understanding the motivations and objectives of industry influencers and their impact on purchase decisions through consulting, social media, reports, collaborative marketing, blogs, events and advisory. Ward has completed MIT Sloan School of Management Executive Education and holds a BSBA and MBA from Northeastern University.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center